On 30/12/2022 15:52, Bastien wrote:
But are we sure that users need to confirm header args evaluation
separately from code blocks evaluation?
I do not think we need to confirm header arguments *separately*, but
they should not be executed before asking users. It is not easy to
implement request for header arguments in another way.
Commit
10e857d42 2022-10-28 11:09:50 +0800 Ihor Radchenko: org-babel-read: Obey
`org-confirm-babel-evaluate'
was a reaction to
Max Nikulin. [BUG][Security] begin_src :var evaluated before the prompt
to confirm execution. Thu, 27 Oct 2022 10:18:05 +0700.
https://list.orgmode.org/tjct9e$179u$1...@ciao.gmane.io
The latter partially was caused by demand to open arbitrary Org files
downloaded from net in Emacs.
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=58774
[WISH]: Let us make EWW browse WWW Org files correctly
Accidental unsolicited code execution due to unintentional C-c C-c may
be rather dangerous, it does not depend if it is source block body,
header arguments, or table formula (the latter may still be activated by
just TAB). Org-9.5 behavior is not ideal but at least acceptable for
most of trusted (e.g. private) Org files.
